This blog is a follow-up from the blog on the business benefits of adopting AWS Fargate Container-as-a-Service (CaaS).  In this blog, learn how Layered Insight’s solutions provide deep visibility and protection for applications running on such a service. This blog provides detailed steps on how to easily enable Layered Insight’s Adaptive Analysis and Automated Enforcement solutions for containers running on AWS Fargate.

AWS Fargate

AWS Fargate is a CaaS offering from AWS that completely abstracts out the underlying container infrastructure and orchestration layer for businesses. It offers containers as the primary compute primitive. With that paradigm, businesses don’t have to worry about managing their server or VM clusters for running containers.  It also simplifies the orchestration layer, including AWS ECS or Kubernetes. Businesses can just focus on creating and deploying their application workloads. With the rapid and continuous changes happening in the container ecosystem, AWS Fargate provides an easy, accelerated path to businesses for migrating their application workloads to containers. Businesses don’t have to worry about what their container infrastructure stack should be, which orchestration layer to choose, or how to configure and manage it.

Layered Insight Runtime Solutions

Layered Insight’s runtime solutions were designed, right from the beginning, with the unique approach of embedding visibility and protection into each individual container. Thus, this approach has the following key advantages:

  1. Deepest visibility and fine-grained control from within the application, which leads to the most efficient protection
  2. Automatic scaling, as every container instance has the solution running as part of the application itself, and
  3. Infinite portability, as the solution automatically moves with the containers.

Layered Insight’s solutions are the only ones that work on AWS Fargate. They don’t rely on host agents, kernel plugins, or Privileged Containers, none of which are supported on AWS Fargate.

Security Concerns Around Containers

By now, the security concerns around containers are well documented.  Therefore, I will briefly summarize the primary concerns/requirements that still apply in the paradigm of CaaS solutions like AWS Fargate.

  • Deployment
    • A security solution that’s zero-touch to the developers.  Meaning, one that doesn’t require developers to revisit their code or use the solution’s SDK to wrap critical calls.
    • Has to be zero-touch to the DevOps processes and to the application deployment scripts.
  • Configuration
    • Reduce the attack surface by giving each application container only those privileges that are required for it to function, and nothing more.
    • A security solution that doesn’t require manually configuring security whitelists or blacklists.
  • Protection
    • Though the security of the underlying container infrastructure has been offloaded to AWS Fargate, the containerized applications would still have to be protected from external attacks.
    • Protect the applications from the exploitation of even unpatched vulnerabilities, known or unknown.
    • Prevent an attack, which could have compromised a container, from attacking other containers and spreading the attack.

Deploying Layered Insight

Getting deep visibility and control into all the activities and behavior of each application container running on AWS Fargate is quick and easy.  Simply deploy Layered Insight and configure it to access AWS Elastic Container Registry (ECR), identifying where application container images are stored.  Layered Insight can be deployed on AWS Fargate or on an EC2 cluster.  For the CloudFormation deployment template, please contact the Layered Insight team at [email protected].

Image 1: Deploying Layered Insight on AWS Fargate

Image 2: Layered Insight Running on AWS Fargate

Image 3: Layered Insight’s Running Containers

Layered Insight could also be configured to work in the build or ship phases, through its integration with AWS CodeBuild and AWS Code Pipeline services. We’ll cover those details in subsequent blogs.

Instrumenting Application Containers

Once Layered Insight has been deployed, it’s now time to instrument container images.  From the Layered Insight command console, configure AWS ECR with the repository where the application containers are stored.

Image 4: Adding AWS ECR Container Registry

Select the specific containers that you want to be protected. Layered Insight starts the instrumentation process.

Image 5: Select Container Image to Instrument

Depending on the size of the container image, Layered Insight takes anywhere between a few seconds to a couple minutes to create the instrumented version of the image. Layered Insight creates a new container image within the same AWS ECR repository.  AWS ECR stores both the original and instrumented images.

Image 6: AWS ECR with Both Container Images: Original and Instrumented

Monitoring Application Containers

AWS Fargate deploys the instrumented container image exactly the same way as the original image. Whenever a new instance of the application container starts running, it sends detailed activity logs to the Layered Insight command console. Every system, network, storage and application call is captured and collected, all from within the running container.

Image 7: Container Activity within Layered Insight

Image 8: Detailed Container Activity within Layered Insight

Image 9: Behavior Activity of the Running Container

Protecting Application Containers

Layered Insight automatically converts all the container activity into a behavior policy, and applies it, to protect the container.

Image 10: Auto-generated Policy within Layered Insight

Whenever the container does something that’s a digression from its behavior policy, Layered Insight creates an alert. Layered Insight can be configured to allow, block, or allow-and-record the anomalous activities.  In the accompanying screenshots, the protected container tries to launch a shell as a result of an unpatched vulnerability getting exploited. Layered Insight blocks that shell launch and provides all the details about that anomalous activity.

Image 11: Activity Overview Showing Policy Violation in Layered Insight

Image 12: Policy Violation within a Running Container in Layered Insight

Image 13: Policy Violation Details within Layered Insight

Embedded Security for Containers

Whether CaaS offerings like AWS Fargate, or other deployments for containers, Layered Insight’s embedded approach provides visibility and protection wherever the containers are running. This infrastructure and orchestration agnostic approach allows the containers to be moved from one environment to another without having to worry about moving security.  You just architect security once.  For more information, please visit layeredinsight.com or contact us at [email protected].